diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9c7f41da0b..594a2dfbf5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -864,16 +864,23 @@ scan-build: when: on_failure # Jobs for strict OpenSSL 3.x (no deprecated) GCC builds on Debian "sid" (amd64) +# Run with pkcs11-provider tests gcc:ossl3:sid:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -O3 -DOPENSSL_NO_DEPRECATED=1 -DOPENSSL_API_COMPAT=30000" + # See https://gitlab.isc.org/isc-projects/bind9/-/issues/3444 + EXTRA_CONFIGURE: "--without-jemalloc --disable-leak-detection" RUN_MAKE_INSTALL: 1 <<: *debian_sid_amd64_image <<: *build_job system:gcc:ossl3:sid:amd64: + # Set up environment variables to run pkcs11-provider system tests + variables: + OPENSSL_CONF: "/var/tmp/etc/openssl-provider.cnf" + SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" <<: *debian_sid_amd64_image <<: *system_test_job needs: @@ -1207,10 +1214,8 @@ gcc:bullseye:amd64: system:gcc:bullseye:amd64: # Set up environment variables that allow the "keyfromlabel" system test to be run variables: - DEFAULT_OPENSSL_CONF: "/etc/ssl/openssl.cnf" OPENSSL_CONF: "/var/tmp/etc/openssl.cnf" SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" - SOFTHSM2_MODULE: "/usr/lib/softhsm/libsofthsm2.so" <<: *debian_bullseye_amd64_image <<: *system_test_job needs: @@ -1240,10 +1245,8 @@ clang:bookworm:amd64: system:clang:bookworm:amd64: # Set up environment variables that allow the "keyfromlabel" system test to be run variables: - DEFAULT_OPENSSL_CONF: "/etc/ssl/openssl.cnf" OPENSSL_CONF: "/var/tmp/etc/openssl.cnf" SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" - SOFTHSM2_MODULE: "/usr/lib/softhsm/libsofthsm2.so" <<: *debian_bookworm_amd64_image <<: *system_test_job needs: diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index c31c82eb74..53065625eb 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -728,3 +728,27 @@ copy_setports() { -e "s/@DISABLED_BITS@/${DISABLED_BITS}/g" \ $1 > $2 } + +# parse_openssl_config - Parse OpenSSL configuration for HSM settings +# +# Will set SOFTHSM2_MODULE, OPENSSL_ENGINE and ENGINE_ARG based on openssl configuration. +parse_openssl_config() { + ENGINE_ARG="" + [ -f "$OPENSSL_CONF" ] || return 0 + while IFS="=" read key val; do + # trim variables + key="${key## }" + key="${key%% }" + val="${val## }" + val="${val%% }" + case "$key" in + "engine_id") + OPENSSL_ENGINE="$val" + ENGINE_ARG="-E $OPENSSL_ENGINE" + ;; + "MODULE_PATH"|"pkcs11-module-path") + SOFTHSM2_MODULE="$val" + ;; + esac + done < "$OPENSSL_CONF" +} diff --git a/bin/tests/system/enginepkcs11/clean.sh b/bin/tests/system/enginepkcs11/clean.sh index 789666e7c9..087b434792 100644 --- a/bin/tests/system/enginepkcs11/clean.sh +++ b/bin/tests/system/enginepkcs11/clean.sh @@ -26,10 +26,10 @@ rm -f ns1/*.example.db ns1/*.example.db.signed rm -f ns1/*.kskid1 ns1/*.kskid2 ns1/*.zskid1 ns1/*.zskid2 rm -f ns1/dig.out.* rm -f ns1/K* -rm -f ns1/named.conf ns1/named.run ns1/named.memstats +rm -f ns1/named.conf ns1/named.args ns1/named.run ns1/named.memstats rm -f ns1/update.cmd.* rm -f ns1/update.log.* rm -f ns1/verify.out.* rm -f ns1/zone.*.signed.jnl ns1/zone.*.signed.jbk -softhsm2-util --delete-token --token "softhsm2-enginepkcs11" >/dev/null 2>&1 || echo_i "softhsm2-enginepkcs11 token not found for cleaning" +OPENSSL_CONF= softhsm2-util --delete-token --token "softhsm2-enginepkcs11" >/dev/null 2>&1 || echo_i "softhsm2-enginepkcs11 token not found for cleaning" diff --git a/bin/tests/system/enginepkcs11/ns1/named.args b/bin/tests/system/enginepkcs11/ns1/named.args deleted file mode 100644 index 0568fa981c..0000000000 --- a/bin/tests/system/enginepkcs11/ns1/named.args +++ /dev/null @@ -1 +0,0 @@ --E pkcs11 -D enginepkcs11-ns1 -X named.lock -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/enginepkcs11/ns1/named.args.in b/bin/tests/system/enginepkcs11/ns1/named.args.in new file mode 100644 index 0000000000..e4dd595315 --- /dev/null +++ b/bin/tests/system/enginepkcs11/ns1/named.args.in @@ -0,0 +1 @@ +@ENGINE_ARGS@ -D enginepkcs11-ns1 -X named.lock -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/enginepkcs11/prereq.sh b/bin/tests/system/enginepkcs11/prereq.sh index 296452b402..847cecb611 100644 --- a/bin/tests/system/enginepkcs11/prereq.sh +++ b/bin/tests/system/enginepkcs11/prereq.sh @@ -13,9 +13,20 @@ . ../conf.sh -if [ -n "${SOFTHSM2_MODULE}" ] && command -v softhsm2-util >/dev/null; then - exit 0 -fi +[ -n "${SOFTHSM2_CONF}" ] || { + echo_i "skip: softhsm2 configuration not available" + exit 255 +} -echo_i "skip: softhsm2-util not available" -exit 255 +parse_openssl_config +[ -f "$SOFTHSM2_MODULE" ] || { + echo_i "skip: softhsm2 module not available" + exit 1 +} + +for _bin in softhsm2-util pkcs11-tool; do + command -v "$_bin" >/dev/null || { + echo_i "skip: $_bin not available" + exit 1 + } +done diff --git a/bin/tests/system/enginepkcs11/setup.sh b/bin/tests/system/enginepkcs11/setup.sh index 49988ad66c..8672363755 100644 --- a/bin/tests/system/enginepkcs11/setup.sh +++ b/bin/tests/system/enginepkcs11/setup.sh @@ -16,12 +16,14 @@ set -e -softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' +OPENSSL_CONF= softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-enginepkcs11" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' printf '%s' "${HSMPIN:-1234}" > pin +parse_openssl_config PWD=$(pwd) copy_setports ns1/named.conf.in ns1/named.conf +sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" < ns1/named.args.in > ns1/named.args keygen() { type="$1" @@ -31,7 +33,7 @@ keygen() { label="${id}-${zone}" p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') - pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id 2> pkcs11-tool.err.$zone.$id || return 1 + OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-enginepkcs11" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id 2> pkcs11-tool.err.$zone.$id || return 1 } keyfromlabel() { @@ -41,7 +43,7 @@ keyfromlabel() { dir="$4" shift 4 - $KEYFRLAB -K $dir -E pkcs11 -a $alg -l "token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2> keyfromlabel.err.$zone.$id || return 1 + $KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2> keyfromlabel.err.$zone.$id || return 1 cat keyfromlabel.out.$zone.$id } @@ -86,7 +88,7 @@ do echo_i "Sign zone with $ksk1 $zsk1" cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" > "${dir}/${zonefile}" - $SIGNER -K $dir -E pkcs11 -S -a -g -O full -o "$zone" "${dir}/${zonefile}" > signer.out.$zone || ret=1 + $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" > signer.out.$zone || ret=1 test "$ret" -eq 0 || exit 1 echo_i "Generate successor keys $alg $type:$bits for zone $zone" diff --git a/bin/tests/system/enginepkcs11/tests.sh b/bin/tests/system/enginepkcs11/tests.sh index f8f0317d9b..94b9320a37 100644 --- a/bin/tests/system/enginepkcs11/tests.sh +++ b/bin/tests/system/enginepkcs11/tests.sh @@ -16,6 +16,7 @@ set -e # shellcheck source=conf.sh . ../conf.sh +parse_openssl_config PWD=$(pwd) status=0 diff --git a/bin/tests/system/keyfromlabel/clean.sh b/bin/tests/system/keyfromlabel/clean.sh index bce20990be..1a5adb1d95 100644 --- a/bin/tests/system/keyfromlabel/clean.sh +++ b/bin/tests/system/keyfromlabel/clean.sh @@ -24,4 +24,4 @@ rm -f keyfromlabel.out.* rm -f pkcs11-tool.out.* rm -f signer.out.* -softhsm2-util --delete-token --token "softhsm2-keyfromlabel" >/dev/null 2>&1 || echo_i "softhsm2-keyfromlabel token not found for cleaning" +OPENSSL_CONF= softhsm2-util --delete-token --token "softhsm2-keyfromlabel" >/dev/null 2>&1 || echo_i "softhsm2-keyfromlabel token not found for cleaning" diff --git a/bin/tests/system/keyfromlabel/prereq.sh b/bin/tests/system/keyfromlabel/prereq.sh index 2002c2a469..847cecb611 100644 --- a/bin/tests/system/keyfromlabel/prereq.sh +++ b/bin/tests/system/keyfromlabel/prereq.sh @@ -13,9 +13,20 @@ . ../conf.sh -if [ -n "${SOFTHSM2_MODULE}" ] && command -v pkcs11-tool >/dev/null && command -v softhsm2-util >/dev/null; then - exit 0 -fi +[ -n "${SOFTHSM2_CONF}" ] || { + echo_i "skip: softhsm2 configuration not available" + exit 255 +} -echo_i "skip: softhsm2-util or pkcs11-tool not available" -exit 255 +parse_openssl_config +[ -f "$SOFTHSM2_MODULE" ] || { + echo_i "skip: softhsm2 module not available" + exit 1 +} + +for _bin in softhsm2-util pkcs11-tool; do + command -v "$_bin" >/dev/null || { + echo_i "skip: $_bin not available" + exit 1 + } +done diff --git a/bin/tests/system/keyfromlabel/setup.sh b/bin/tests/system/keyfromlabel/setup.sh index 703814d62d..e99bd5e866 100644 --- a/bin/tests/system/keyfromlabel/setup.sh +++ b/bin/tests/system/keyfromlabel/setup.sh @@ -16,7 +16,7 @@ set -e -softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-keyfromlabel" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' +OPENSSL_CONF= softhsm2-util --init-token --free --pin 1234 --so-pin 1234 --label "softhsm2-keyfromlabel" | awk '/^The token has been initialized and is reassigned to slot/ { print $NF }' printf '%s' "${HSMPIN:-1234}" > pin PWD=$(pwd) diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh index 5cedbf93d1..c7898599be 100644 --- a/bin/tests/system/keyfromlabel/tests.sh +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -16,6 +16,7 @@ set -e # shellcheck source=conf.sh . ../conf.sh +parse_openssl_config PWD=$(pwd) keygen() { @@ -26,7 +27,7 @@ keygen() { label="${id}-${zone}" p11id=$(echo "${label}" | openssl sha1 -r | awk '{print $1}') - pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-keyfromlabel" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 + OPENSSL_CONF= pkcs11-tool --module $SOFTHSM2_MODULE --token-label "softhsm2-keyfromlabel" -l -k --key-type $type:$bits --label "${label}" --id "${p11id}" --pin $(cat $PWD/pin) > pkcs11-tool.out.$zone.$id || return 1 } keyfromlabel() { @@ -35,10 +36,11 @@ keyfromlabel() { id="$3" shift 3 - $KEYFRLAB -E pkcs11 -a $alg -l "token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id 2>> /dev/null || return 1 + $KEYFRLAB $ENGINE_ARG -a $alg -l "pkcs11:token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >> keyfromlabel.out.$zone.$id || return 1 cat keyfromlabel.out.$zone.$id } +status=0 infile="template.db.in" for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ ecdsap256sha256:EC:prime256v1 ecdsap384sha384:EC:prime384v1 @@ -83,7 +85,7 @@ do echo_i "Sign zone with $ksk $zsk" ret=0 cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" - $SIGNER -E pkcs11 -S -a -g -o "$zone" "$zonefile" > signer.out.$zone || ret=1 + $SIGNER $ENGINE_ARG -S -a -g -o "$zone" "$zonefile" > signer.out.$zone || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) fi diff --git a/bin/tests/system/legacy.run.sh.in b/bin/tests/system/legacy.run.sh.in index 5084c3148e..39891193ed 100644 --- a/bin/tests/system/legacy.run.sh.in +++ b/bin/tests/system/legacy.run.sh.in @@ -80,7 +80,6 @@ if ! $do_run; then SLOT="$SLOT" \ ${OPENSSL_CONF:+OPENSSL_CONF="$OPENSSL_CONF"} \ SOFTHSM2_CONF="$SOFTHSM2_CONF" \ - SOFTHSM2_MODULE="$SOFTHSM2_MODULE" \ PATH="$PATH" \ ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} \ TESTS="$*" \